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(57) Abstract: Disclosed herein is a 
flexible network security system and 
method for permitting a trusted process. 
The system includes a port monitoring 
unit for extracting information about a 
server port being used through a network 
communication program, an internal 
permitted program storage for extracting 
information about a program for which 
communication is permitted by the 
firewall, and registering the extracted 
information, an internal permitted port 
storage, if the port monitoring unit 
extracts the information about the server 
port being used using the program 
registered in the internal permitted 
program storage, registering the extracted 
information about the server port; and a 
device for making the firewall flexible, determining whether a destination port of a packet of inbound traffic has been registered in 
the internal permitted port storage, and if the destination port has not been registered, transmitting the corresponding packet to the 
firewall, and if the destination port has been registered, allowing the corresponding packet to bypass the firewall. 
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Description 

FLEXIBLE NETWORK SECURITY SYSTEM AND 
METHOD FOR PERMITTING TRUSTED PROCESS 
Technical Field 

[1] The present invention relates generally to a flexible network security system and 

method for permitting a trusted process and, more particularly, to a network security 
system and method, in which a port, which is used by a program for which commu- 
nicationis permitted, is automatically added to or removed from an internet connection 
firewall, thus allowing inexpert users to easily use the internet connection firewall 
having excellent functionality. 
Background Art 

[2] A firewall is a security system that forms a protection border between a network 

and the outside thereof. 

[3] FIG. 1 is a view showing an Internet Connection Firewall (ICF) for protecting a 

computer and a network, which has been basically provided by Microsoft Inc. since 
the XP version of Windows. 

[4] Hie ICF is software used to set restrictions on information communicated between 

a network or small-scale network and the Internet, and protects an Internet connection 
of a single computer to the Internet. 

[5] Meanwhile, a conventional ICF is a statefiil firewall. The term stateful firewall 

refers to a firewall which monitors all the communication passing throigh a cor- 
responding path, and inspects the original of each message to be processed, a target 
address and a porL 

[6] The ICF permits outbound traffic but blocks inbound traffic, so that a network 

inside the ICF is not seen from the outside. For tins reason, in a Personal Computer 
(PC) firewall, this function is referred to as a "stealth function." 

[7] The operation of the ICF is described in brief below. 

[8] The ICF keeps track of traffic originating from an ICF computer, and maintains a 

communication table, so that unwanted traffic does not enter thiwgh the personal 
connection. Further, all inbound traffic on the Internet is compared with the items in 
the table. Only in the case where it is proved that a matching item exists in the table 
and communication originated from the user's computer, inbound Internet traffic is 
connected to a network computer. 

[9] In contrast, in the case where an Intemetconnection is not permitted on the basis of 
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a firewall permission list, the ICF ch&cuuiiccis die connection. Accordingly, general 
hading, such as port scanning, can be blocked by automatically canceling unwanted 
communication. 

[10] For example, when an ICF computer is scanned using a Linux nmap scanning tool 

in order to check such a case, the ICF computer does not respond to any scan 
operation, so that Network Mapper (Nrtap) determines that a target computer does not 
exist on a network for every scan, and outputs the message "Host Seems Down." As 
described above, the ICF blocks general hacldng, such as port scanning, is performed 
by automatically canceling unwanted communication. 

[1 1] Meanwhile, when the ICF is installed in a web service providing computer, the ICF 
blocks inbound traffic, so that the Internetconnection is disconnected, and, therefore, 
normal web service cannot be offered. To solve this problem, the ICF permits inbound 
traffic to Port 80 used by service, thus being capable of allowing normal web service. 

[12] As described above, the ICF allows normal service to be used by adding services 
and protocols, and the PC firewall also provides such functions. 

[13] Meanwhile, the problem of the ICF is described below. 

[14] Recent Internet software, such as a web server, a File Transfer Protocol (FTP) 

server, a telnet server, a peer-to-peer (P2P) program, a remote control prtgram and a 
messenger prqgram, operates as service providing servers. Furthermore, the amount of 
software operating as a server as described above is increasing remarkably, and such 
software trends toward being used by many general users. 

[IS] However, most users avoid using stealth function of the ICF or PC firewall because 

the above-described software operating as a server does not operate normally. In 
Windows XP shown in FIG. 2, the corresponding software can be normally used by 
adding a port, a protocol, and an Internet Protocol (IP) used by the software operating 
as a server uses. However, it is difficult for inexpert users to set them because the 
inexpert users have difficulty in finding a port operating as a server. 

[16] Furthermore, since a port operating as a server may be changed when the version of 

the software is upgraded, normal service may be unexpectedly interrupted. For these 
reasons, there is a problem in that it is difficult for general users to use the stealth 
functions of the ICF and the PC firewall despite their desired characteristics. 
Disclosure of Invention 
Technical Problem 

[ 1 7] Accordingly, the present invention has been made keeping in mind the above 
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problems occurring in the prior art, <mu mi uujcct of the present invention is to provide 
a network security system and method, in which a port, which is used by a program for 
which communication is permitted, is automatically added to or removed from an 
internet connection firewall, thus allowing inexpert users to easily use a desired 
function of the internet connection firewall. 
Technical Solution 

[18] In order to accomplish the above object, the present invention provides a network 

security system for permitting a trusted process using a firewall, the firewall protecting 
a corresponding network connection of a computer to a network by setting restrictions 
on information communicated between networks, including a port monitoring unit for 
extracting information about a server port being used through a network com- 
munication prcgram; an internal permitted prqgram storage for extracting information 
about a prqgram for which communication is permitted by the firewall, and registering 
the extracted information; an internal permitted port storage, if the port monitoring unit 
extracts the information about the server port being used using the prcgram registered 
in the internal permitted prcgram storage, registering the extracted information about 
the server port; and a device for making the firewall flexible, determining whether a 
destination port of a packet of inbound traffic has been registered in the internal 
permitted port storage, and if the destination port has not been registered, transmitting 
the corresponding packet to the firewall, and if the destination port has been registered, 
allowing the corresponding packet to bypass the firewall. 

[19] In addition, in order to accomplish the above object, the present invention provides 
a network security method of permitting a trusted process using a firewall, the firewall 
protecting a corresponding network connection of a computer to a network by setting 
restrictions on information communicated between networks, including the first step of 
extracting information about a server port being used through a network com- 
munication prcgram; the second step of extracting information about a prcgram for 
which communication is permitted by the firewall, and registering the extracted in- 
formation in an internal permitted prcgram storage; the third step of, if information 
about the server port being used is extracted using the prcgram registered in the 
internal permitted prcgram storage at the first step, registering the information about 
the extracted server port in an internal permitted port storage; the fourth step of de- 
termining whether a destination port of a packet of inbound traffic has been registered 
in the internal permitted port storage; the fifth step of, if, as a result of the de- 
termination at the fourth step, the destination port has not been registered, transmitting 
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the packet of inbound traffic to the in c wan ami the sixth step of, if, as a result ofthe 
determination at the fourth step, the destination port has been registered, allowing the 
corresponding packet to bypass the firewall. 

Preferably, in the case of performing communication using Transmission Control 
Protocol (TCP), the first step is extracts a listen port through hooking when a socket 
performs listen to operate as a server. 

Preferably, in the case of communication using User Datagram Protocol (UDP), the 
first step extracts the server port by performing hooking in a user mode when a 
socketcalls a relevant function to receive a packet 
Advantageous Effects 

As described above, in accordance with the present invention, a port which is used 
by a program for which communication is permitted is automatically added to or 
removed from the ICF, so that inexpert users are capable of easily using the ICF 
having excellent functionality. 
Brief Description of the Drawings 

The above and other objects, features and advantages of the present invention will 
be more clearly understood from the following detailed description taken in 
conjunction with the accompanying drawings, in which: 

FIG. 1 is a view showing an ICF for protecting a computer and a network, which 
has basically been provided by Microsoft Inc. since the XP version of Windows; 

FIG. 2 is a view showing an interface screen that allows a port, a protocol, and an 
IP, which are used by software that operates as a server uses in Windows XP, to be 
added 

FIG. 3 is a block diagram showing the mode division of a Microsoft Windows 
operating system used in the present invention 

FIG. 4 is a schematic flowchartshowing the operation of an ICF according to the 
present invention, which illustrates processes of installing a port monitoring unit and 
the ICF, and storing a permitted program list in an internal permitted program storage 

FIG. 5 is a view showing an interface screen that is displayed to allow a com- 
munication permitted prcgram list to be stored in an internal permitted program 
storage in a flexible ICF in accordance with an embodiment of the present invention; 

FIG. 6 is a block diagram showing the operation of an entire firewall using a device 
for mating an ICF flexible according to the present invention 

FIG. 7 is a flowchart showing a process of storing and deleting a server port in and 
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from the internal permitted port stoii^c ui a ncxible ICF according to an embodiment 

of the present invention and 
[31] FIG. 8 is a flowchart showing a packet processing flow performed in front of an 

ICF in accordance with an embodiment of the present invention. 

Best Mode for Carrying Out the Invention 
[32] A flexible network security system and method for permitting a trusted process and 

method in accordance with an embodiment of the present invention is described in 

detail with reference to the accompanying drawings below. 
[33] First, the related art corresponding to the background of the present invention is 

described in brief. 

[34] FIG. 3 is a block diagram showing the mode division of a Microsoft Windows 

operating system used in the present invention. 

[35] Referring to FIG. 3, Windows XP, which is provided by Microsoft Inc., provides a 
kernel mode and a user mode. In the kernel mode, an operating system kernel and 
various kinds of device drivers are driven, and in the user mode, applications are 
mainly driven. Prqgrams which operate in the kernel mode existin the form of device 
drivers. A kernel mode network structure supported by the Microsoft Windows 
operating system includes afcLsys (AFD), that is, the kernel of a Windows socket, a 
Network Driver Interface Specification(NDIS), and a Transport Driver Interface (TDI). 

[36] The afcLsys which exists at the uppermost layer in the kernel mode communicates 

with msafcldll, that is, a Dynamic link library (DLL) which exists at the lowermost 
layer in the user mode Windows socket, and constitutes an interface with TDI existing 
at the lower layer thereof. 

[37] The TDI defines a kernel mode interface which exists above a protocol stack. The 
NDIS provides a standard interfacefor Network Interface Card Device Drivers 
(NffCDDs). 

[38] A method of constructing a firewall in the user mode of the Microsoft Windows 

operating system is described below in brief. 

[39] Hooking refers to a widely known prtgrammingmethod that stores the address of a 
original function intended to be hooked, and replaces the address of the original 
function with the address of a function made by the user, thus allowing the original 
function to be executed afterward through the execution of the function made by the 
user. 

[40] 1) Winsock Layered Service Provider (LSP) 

[41] This method is a method provided by Microsoft Inc., which is based on a Service 



WO 2005/064842 PCTYKR2004/003456 

6 

Provider Interface (SPI) that is a compuucm cxistingin Microsoft networking widely 
used in Quality Of Service (QOS), URL filtering, and the encryption of a data stream. 
[42] 2) Windows 2000 Packet Filtering Interface 

[43] Windows 2000 uses a method of installing a filter descriptor so that an application 

program in the user mode can perform permission and blocking on the basis of an IP 
address and port information. 

[44] 3) Winsock Dll replacement 

[45] This method is based on a method of filtering by replacing the Winsock DLL of 

Microsoft Windows with a DLL made by the user. 
[46] 4) Global Function Hooking 

[47] This method is based on a method of hooking the socket functions in Windows, 

such as Connect, listen, Send, Recv, Sendto, and Recvfrom, or a DeviceloControlO 
function that application in the user mode uses to communicate with a driver in the 
kernel mode. 

[48] A method of constructing a firewall in the kernel mode of the Microsoft Windows 

operating system is described in brief below. 
[49] 1) Kernel Mode Sbcket Filter 

[SO] This scheme is based on a method of hooking all the Inputs/Outputs (I/Os) in which 

msafcLdll, which is a DLL existing at the lowermost layer below a Windows socket in 
the user mode, communicates with afdsys, which is a kernel mode Windows socket 

[51] 2) TDI filter driver 

[52] This scheme is based on a method of utilizing a filter driver produced by applying 

an IoAttackDeviceO API to a device created by a tcpip.sys driver, such as 
VDeviceVRawIp, \Device\Udp, \Device\Tcp, \DeviceMp, VDeviceVMULTICAST. Al- 
ternatively, this method is based on a method of hooking all I/Os by replacing a 
dispatch table existing in the driver object of tcpip.sys. 

[53] 3) NDIS InterMediate (IM) driver 

[54] This scheme is a method, which is provided to users by Microsoft Inc., and allows a 

firewall and aNetwork Address Translation (NAT) to be developed throigh insertion 
between a protocol driver, such as TCP/IP, and an MC driver. 

[55] 4) NDIS hooking filter driver 

[56] This scheme is a method of hooking the functions of a NDIS library, which is based 
on a method of hooking functions, such as NSisRegisterProtocol, NMsDeregis- 
terProtocol, NBsOpenAdapter, NBsCloseAdapter and NcHsRegisterProtocol, or a 
method of hooking the I/Os of a Protocol driver and an NIC driver in communication 
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with the NDIS after finding an existing lcgisicied protocol driver link on the basis of a 
returned NiisProtocolHandle, such as TCP/IP, using an NdisRegisterProtocol function 
that registers the Protocol driver thereof. 
[57] The ICF according to the present invention may be implemented in the above- 

described kernel mode socket filter, TDI filter driver, NDIS EM driver and NDIS 
hooking filter, and is generally implemented in the NDIS IM driver or NDIS hooking 
filter driver. 

[58] The ICF maintains the entire communication table of IPs and ports by keeping track 

of traffic originating from an ICF computer. All inbound traffic from the Internet is 
compared with items existing in this communication table. Only when it is proved that 
a matching item exists in the table and, therefore, communication originated from the 
user's computer, inbound Internet traffic is permitted; otherwise the traffic is blocked. 

[59] Granting permission to the inbound traffic is performed by calling the address of a 

hooked original function. In contrast, blocking to the inbound traffic is performed by 
sending a false return indicating that the call to the original function succeeded or 
failed without calling the original function, or providing false information so that the 
original function is called but the performance of the function is not performed 
normally. 

[60] A flexible network security system and method for permitting a trusted process 

according to the present invention is described based on the above-described basic de- 
scription related to the firewall. 

[61] FIG. 4 is a schematic flowchart showing the operation of an ICF according to the 

present invention, which illustrates processes of installing a port monitoring unit and 
the ICF, and storing a permitted program list in an internal permitted program storage. 

[62] First, at step S410, a port monitoring unit and an ICF are installed. 

[63] In the case of TCP, when a socket performs listen to operate as a server, the port 
monitoring unit extracts a listen port through Winsock hooking. Furthermore, when a 
corresponding operation is performed in msafAdll, a corresponding operation in a 
kernel is performed in the AFP, that is, the socket part of the kernel, or 
TDI_EVENT_CCNNECT is called throigh TdiSetEventO in the TDI, the port 
monitoring unit extracts the listen port 

[64] In the case of User Datagram Protocol (UDP), when a socket calls recvfrom to 
receive a packet, a server port for receiving the packet is extracted by Winsock 
hooking in the user mode. Furthermore, when a successive operation in the AFD exists 
in the kernel mode, or when TDI_EVENT_RECEIVE_DATAGRAM is created 
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through corresponding TdiSetEventu, a »ci vci port for receiving a packet is extracted. 

[65] The port monitoring unit is installed by Winsock hooldng in the user mode, or by 

the kernel mode socket filter and the TDI filter driver in the kernel mode, and 
functions to extract server port information, protocol information (TCP, UDP, etc.), 
and OPEN/CLOSE information. 

[66] Thereafter, the ICF is installed. Such an ICF may be implemented in a kernel mode 

socket filter, a TDI filter driver, an NDI3M driver, a Windows 2000 filter hook driver 
and an NDIS hooldng filter driver, and is generallyinstalled through the NDIS IM 
driver or the NDIS hooldng filter driver in the same manner as described above. 

[67] Then, at step S420, a permitted prqgrara list is stored in an internal permitted 

prqgram storage. FIG. 5 is a view showing an interface screen that is displayed to 
allow a communication permitted prqgram list to be stored in an internal permitted 
prqgram storage in the flexible ICF in accordance with an embodiment of the present 
invention. 

[68] As shown in FIG. 5, when a prqgram to be permitted by the ICF is selected, a 

prqgram name, the entire path of a prqgram, and, the Message Digest algprithm 5 
(MD5) hash value of a corresponding program file for checldng, and the integrity of 
the prqgram are obtained. The prqgram name, the entire path of a prqgram, and the 
prqgram MD5 hash value obtained as described above are stored in the internal 
permitted prqgram storage. 

[69] Hie internal permitted prqgram storage storesdata in the form of the following 

Table 1, and in the form of a file or a database including information about the 
prqgram name, the entire path of a prqgram, and the prqgram MD5 hash value. 

[70] Table 1 





Entire path of prqgram 


Prqgram MD5 hash value 


1 


DAPrcgram FilesVMSN 
MessengerVmsnmsgr.exe 


0x83276482764823686823764826 
37872 


2 


D:\Program FUes\PcAnywhere.exe 


0x038472938742983794279739284 
79374 


3 













[71] FIG. 6 is a block diagram showing the operation of an entire firewall using a device 
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for making an ICF flexible device acuuiumg iu the present invention, which is 
described in detail below. 
[72] When an Internet use program 610 opens a server port to operate as a server, a 

device for making an ICF flexible 620 determines whether a program, which opened 
the corresponding server port, has been registered in an internal permitted program 
storage 650. 

[B] When the corresponding program has been registered, the device for making an ICF 

flexible 620 registers the opened server port in an internal permitted port storage 660. 

[74] Meanwhile, when inbound traffic is transmitted from the outside, the inbound 
traffic reaches an ICF 630 after passing through a network card 640. The device for 
making an ICF flexible 620 determines whether a destination port has been registered 
in the internal permitted port storage 660 by examining the packets of the inbound 
traffic. 

[75] If, as a result of the determination, the corresponding port has not been registered, a 
packet is transmitted to the ICF 630 and the packet is blocked However, if the cor- 
responding port has been registered, a packet is not permitted to pass through the ICF 
630, and a hooked ordinal function is called to bypass the packet to die device for 
making an ICF flexible 620 registers. 

[76] The following Table 2 is an example showing ports registered in the internal 

permitted port storage. 

[77] Table 2 





Entire path of program 


Protocol 


Port 


1 


D:\Prcgram RlesVMSN 
Messenger\msnmsgr.exe 


TCP 


1863 


2 


D:\Prqgram FilesVMSN 
Messenger\msnmsgr.exe 


TCP 


6891 


3 


DAPrcgram 

RlesVPcAnywhere\PcAnywhere.exe 


TCP 


5631 


4 


DAPrcgram 

Files\PcAnywhere\PcAnywhere.exe 


UDP 


5632 











[78] As shown in Table 2, the internal permitted port storage includes information about 

the entire path of a program, the protocol and the port, and may exist in the forms of an 
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array orconnection list in memory, ui in luc iuim of a file or a database. 

[79] FIG. 7 is a flowchart showing a process of storing and deleting a server port in and 

from the internal permitted port storage of a flexible ICF according to an embodiment 
of the present invention, which is described in detail below. 

[80] First, at step S701, information about a server port, OPEN/CLOSE information, and 
information about protocol are extracted from the port monitoring unit, and then, at 
step S7G3, the port monitoring unit determines whether a current program, which 
opened the server port, has been registered in the internal permitted program storage. 

[81] Meanwhile, a method of obtaining information about a current process that is using 

a network is performed in such a way that the portmonitoring unit extracts the ID in- 
formation of the current process using a PsGetCurrentProcessIdO function, and 
acquires the entire path of the current program through the process ID. The MD5 hash 
value of the corresponding program is extracted throigh the entire path of the program 
obtained as describedabove, and it is determined whether the current program exists in 
the internal permitted program storage using the MDS hash value and the entire path of 
the program. 

[82] If, as a result of the determination at step S7G3, the current program has not been 

registered, the process ends. In contrast, if the current program has been registered, at 

step 70S, it is determined whether the server port is opened or closed using the 

extracted OPEN/CLGSE information. 
[83] If, as a result of the determination at step S70S, the server port has been opened, the 

information about the entire path of the program, the protocol and the server port is 

registered at step S709, and the process ends. 
[84] In contrast, if, as a result of the determination at step S70S, the server port has not 

been opened, the items of the permitted port storage matched with the information 

about the entire path of the program, the protocol and the server port are searched for 

and then deleted at steps S706 and S707, and the process ends. 
[85] FIG. 8 is a flowchart showing a packet processing flow performed in front of an 

ICF in accordance with an embodiment of the present invention, which is described in 

detail below. 

[86] First, at step S801, a packet is extracted from inbound traffic beforebeing processed 

by the ICF and, then, at step S8GB, information about a corresponding destination 
(local) port and a protocol is extracted from the extracted packet. 

[87] Thereafter, at step S805, it is determined whether information abouta corresponding 
destination (local) port and a protocol has been registered in the internal permitted port 
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[88] If, as a result of the determination at step S805, the information has not been 

registered, the corresponding packet is transmitted to the ICF at step S807. In contrast, 
if the information has been registered, the destination port must be a permitted port, so 
that the inbound traffic is allowed to bypass the ICF by calling a hooked original 
function. 

Mode for the Invention 

[89] Although the preferred embodiments of the present invention have been disclosed 

for illustrative purposes, it will be apparent to those skilled in the art that various modi- 
fications, additions and substitutions thereof are possible, without departing from the 
spirit of the invention. Accordingly, the scope of the invention will be limited only by 
die accompanying claims, in which it will be appreciated that the examples of the 
modifications, additions and substitutionsare all included. 
Industrial Applicability 

[90] As described above, in accordance with the present invention, a port which is used 

by a program for which communicationis permitted is automatically added to or 
removed from the ICF, so that inexpert users are capable of easily using the ICF 
having excellent functionality. 
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Claims 

[1] A network security system for permitting a trusted process using a firewall, the 

firewall protecting a corresponding network connection of a computer to a 
network by setting restrictions on information communicated between networks, 
comprising: 

a port monitoring unit for extracting information about a server port being used 
through a network communication program; 

an internal permitted program storage for extracting information about a program 
for which communication is permitted by the firewall, and registering the 
extracted information; 

an internal permitted port storage, if the port monitoring unit extracts the in- 
formation about the server port being used using the program registered in the 
internal permitted program storage, registering the extracted information about 
the server port; and 

a device for mating the firewall flexible, determining whether a destination port 
of a packet of inbound traffic has been registered in the internal permitted port 
storage, and if the destination port has not been registered, transmitting the cor- 
responding packet to the firewall, and if the destination port has been registered, 
allowing the corresponding packet to bypass the firewall. 

[2] The network security system as set forth in claim 1, wherein the information 

about the program, which is extracted and registered in the internal permitted 
program storage, includes information about a program name, an entire path of 
the program, and a program Message Digest 5 (MD5) hash value. 

[3] The network security system as set forth in claim 1, whereinthe information 

about the server port, which is extracted and registered in the internal permitted 
port storage, includes information about an entire path of the program, a 
protocol, and a port. 

[4] A network security method of permitting a trusted process using a firewall, the 

firewall protecting a corresponding network connection of a computer to a 
network by setting restrictions on information communicated between networks, 
comprising: 

the first step of extracting information about a server port being used throigh a 
network communication program; 

the second step of extracting information about a program for which com- 
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munication is permitted by the mowau, and registering the extracted information 
in an internal permitted prqgram storage; 

the third step of, if information about the server port being used is extracted 
using the prqgram registered in the internal permitted prqgram storage at the first 
step, registering the information about the extracted server port in internal 
permitted port storage; 

the fourth step of determining whether a destination port of a packet of inbound 
traffic has been registered in the internal permitted port storage; 
the fifth step of, if , as a result of die determination at the fourth step, the 
destination port has not been registered, transmitting the packet of inbound 
traffic to the firewall and 

the sixth step of, if, as a result of the determination at the fourth step, the 
destination port has been registered, allowing the corresponding packet to bypass 
the firewall. 

[5] The network security method as set forth in claim 4, wherein, in the case of 

performing communication using Transmission Control Protocol (TCP), the first 
step extracts a listen port throqgh hooldng when a socket performs listen to 
operate as a server, 

[6] The network security method as set forth in claim 4, wherein, in the case of com- 

munication using User Datagram Protocol (UDP), the first step extracts the 
server port by performing hooking in a user mode when a socket calls a relevant 
function to receive a packet 

[7] The network security method as set forth in claim 4, wherein, the sixth step 

allows the corresponding packet to bypass the firewall by calling a hooked 
original function. 

[8] The network security method as set forth in claim 4, wherein the information 

about the prqgram, which is extracted and registered at the second step, includes 
information about a prqgram name, an entire path of the prqgram, and a prqgram 
Message Digest 5 (MD5) hash value. 

[9] The network security method as set forth in claim 4, wherein the information of 

the server port, which is extracted and registered at the third step, includes in- 
formation about an entire path of the prqgram, a protocol, and a port 

[10] A computer-readable recording medium for performing a network security 

method using a firewall, the medium storing a prqgram for executing the 
method, the method comprising: 
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the first step of extracting infoi luauuii auout a server port being used through a 
network communication program; 

the second step of extracting information about a program for which com- 
munication is permitted by the firewall, and registering the extracted information 
in an internal permitted program storage; 

the third step of, if information about the server port being used is extracted 
using the prtgram registered in the internal permitted program storage at the first 
step, registering the information about the extracted server port in an internal 
permitted port storage; 

the fourth step of determining whether a destination port of a packet of inbound 
traffic has been registered in the internal permitted port storage; 
the fifth step of, if , as a result of the determination at the fourth step, the 
destination port has not been registered, transmitting the packet of inbound 
traffic to the firewall and 

the sixth step of, if, as a result of the determination at the fourth step, the 
destination port has been registered, allowing the corresponding packet to bypass 
die firewall. 



WO 2005/064842 



1/4 



PCT/KR2004/003456 



[Fig. 1] 



j?jx] 



Generd J Aiihenticabon Advanced | 

Internet Connection Fiewal 

protect rry computer and networit by fa iit ig or | 
inrsYentinQ <vtts& foifa caantoAJta jrenths-lntstrtei 

Learn more about li 



If you're not sue how to set these properties, use 
the Network Seto Wizard instead 



Setfrigs... | 



3 CanccJ I 



[Fig. 2] 



Services | Security Logc^ig ) ICMP ) 
Select the services rurvwig on your network that Internet users can 



Services 



□ FTP Server 

□ lr*eme»M^Acce«FVoto^Vefxion3(1MAP3] 

□ Internet Mai Access Protocol Version 4 (IMAP4) 

□ Internet Mai Server (SMTP) 

□ Pott-Office Protocol Veraon 3 (POP3) 

□ Remote Desktop 

□ Secure Web Server (HTTPS) 

□ Tehet Server 




QIC 



WO 2005/064842 



PCT/KR2004/003456 



2/4 



[Fig. 3] 



Windows socket application 



Windows socket 



LSP(Layered Service Provider) 



user 
mode 



Transport 

Data 
Interface 

(TDI) . 



Msafd.dll 



Afd.sys Other TDI Client Drivers... 



TCP/IP protocol driver 
(tcpip.sys) 



Other 
NDIS Protocol 
Driver 
Nbf .sys 
NetBT.sys 



kernel 
mode 



NDIS-Hooking Filter 



NDIS 



NDIS Intermediate 



NDIS Wrapper 



Filtered 
NDIS API 



NDIS Miniport 




NDIS API 



X 



Net card 



Netcard 



(start) 



install port monitoring unit 
and internet connection firewall 



I 



[Fig- 4] 



S410 



store permitted program list in internal 
permitted program storage list 



S420 



WO 2005/064842 



3/4 



PCT/KR2004/003456 



[Fig. 5] 



?jxj 



Lookjnc | . Messenger - 



A 

Si J 



Filename: |tnansgs.«x» | fipen | 

Reiof type: |&t«i*»bl. Ft** (* «mj* com;*.«r) 3 Caned | 



[Fig- 6] 



610- 



620 



630 



620 



640- 



internet use program 



device for making ICF 



ICF 



device for making ICF 




650 



internal permitted 
program storage 



660 




network card 



internal permitted 
port storage 



WO 2005/064842 



4/4 



PCT/KR2004/003456 



[Fig. 7] 



(start) 



extract server port 
from port monitoring unit 



S701 



S703 



does this 
'program exist in internal 
\Dermitted program? - 



no 



yes 



yes 



^ ha^s .server port, 
for receiving connection 
the outside been opene 



S705 



store server port to be 
permitted in internal 
permitted port storage 



S709 



no i 



S706 



^ t server port 

for receiving connection frc 
the outside been closed" 



yes 



delete server port to be 
permitted in internal 
permitted port storage 



S707 



S805 



S807- 



(start) 

extract packet 
outside ICF 



extract destination 
(local) port from packet 



ICF 



[Fig. 8] 



.S801 



S803 




S809 



bypass ICF 



WO 2005/064842 



PCT/KR2004/003456 



1/4/1 

[Fig.1] 




L 



SUBSTITUTE SHEET 




WO 2005/064842 



PCT/KR2004/003456 



1/4/2 

[Fig.2] 



Advanced Settings 




mi □ FTP Server M 

*Pt&ki>>! tit's. 



a 
□ 
□ 
□ 
□ 
□ 
□ 
□ 



FTP Server 

Internet Mail Access Protocol Version 3 (IMAP3) 
Internet Mai Access Protocol Version 4 QMAP4) 
Internet Mail Server (SMTP] 
Post-Office Protocol Version 3 (P0P3) 
Remote Desktop 
Secure Web Server (HTTPS) 
Telnet Server 



i 

i 



w 





SUBSTITUTE SHEET] 



WO 2005/064842 



3/4 

[Fig.5] 



PCT/KR2004/003456 




SUBSTITUTE SHEET 



INTERNATIONAL SEARCH REPORT 



International application No. 
PCT/KR2004/003456 



A. CLASSIFICATION OF SUBJECT MATTER 

BPC7 H04L9/00 

According to International Patent Classification (IPC) or to both national classification and IPC 



FIELDS SEARCHED 



Minimum documentation searched (classification system followed by classification symbols) 
IPC7 H04L9/00 



Documentation searched other man minimum documentation to the extent that such documents are included in the fields searched 
KOREAN PATENTS AND APPLICATIONS FOR INVENTIONS SINCE 1975 
KOREAN UTILITY MODELS AND APPLICATIONS FOR UTILITY MODELS SINCE 1975 



Electronic data base consulted during the totermarJonal search (name of data base and, where practicable, search terms used) 
Korean Intellectual Property Office Patent Search System "FIREWALL & NETWORK & SECURITY " 



C. DOCUMENTS CONSIDERED TO BE RELEVANT 



Category* 



Citation of document, with indication, where appropriate, of the relevant passages 



Relevant to claim No. 



Yl 



Y2. 



KR20020086434 A(SAMSUNG ELECTRONICS CO., LTD.) 1 8.Nov^2002(2002.1 1.18) 

* THE WHOLE DOCUMENT 

KJR20020001190 A(LG ELECTRONICS INC) 15Jun^2003(2002,06J5) 

* THE WlOLE DOCUMENT- " 

JP2004054488 A(YOKOGAWA ELECTRIC CORP) 19. Fcb,2004(2004.a2.19) 

* THE WHOLE DOCUMENT 



1-10 



IrlO 



1-10 



| | Further documents are listed in the continuation of Box C 



^ Sec patent family annex. 



* Speciaf categories of cited documents: 

"A" document defining the general state of the art which is not considered 

to be of particular relevance 
"E" earlier application or patent but published on or after the international 

filing date 

"L" document vrhicb nay throw doubts on priority daim(s) or which is 
cited to establish the publication date of citetion or other 
special reason (as specified) 

"O* document referring to an oral disclosure, use, exhibition or other 



"P* document published prior to the international filing date but later 
than the priority date claimed 



T* later (Jocunxnt published after the international filing date or priority 

date and not in conflict with the application but cited to understand 

the principle or theory uuderiyhigtnehivenuon 
"X* atonnait of particular relevance; the dalmcd invention cannot be 

considered novel or cannot be considered to involve an inventive 

step when the document is taken alone 
"Y" document of particular relevance; thedaiined iirventkm cannot be 

considered to involve an inventive step when the document is 

combined with one or more other such documcnts^uch combination 

being obvious to a person skilled in the art 
"&* document member of the same patent family 



Date of the actual completion of the international search 
06 APRIL 2005 (06.04.2005) 



Date of mailing of the international search report 

11 APRIL 2005 (11.042005) 



Name and mailing address of the ISA/KR 

^^^L, Korean Intellectual Property Office 

■ 920 DuTisarwiong, Seo-gu, Daejeon 302-701, 

«L Republic of Korea 

FiicsimileNo. 82-42-472-7140 



Authorized officer 

UHM, In Kwon 
Telephone No. 82-42-481-5712 




Form PCT/ISA/210 (second sheet) (January 2004) 



INTERNATIONAL SEARCH REPORT 
Information on patent family members 



International application No. 
PCT/KR2004/003456 



Patent document 
cited in search report 



Publication 
date 



Patent family 
members) 



Publication 
date 



KR20020086434A 
JP16054488 A 
KR20020001190A 



18.11.2002 
19.02.2004 
09.01.2002 



NONE 
NONE 

US20010056550A1 



27.12.2001 



Form PCT/ISA/210 (patent family annex) (January 2004) 



